<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello,<br>
</p>
<p>So the problem here is, again, linked to the fact that I'm using
a test SELinux policy that doesn't contain all the needed
contexts, so yeah it's a mix of configuration issue and the fact
that podman is not ignoring these errors if SELinux is in
permissive. I'll ping upstream again.</p>
<p>So the remaining problem here is iptables command not being
installed (and the seccomp.json file missing to a lower extend)<br>
</p>
<div class="moz-cite-prefix">Le 21/04/21 à 10:21, Laurent Bigonville
a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:bbce1e95-cf42-4d9d-ad05-da867f3e8f57@debian.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Hello,</p>
<p>I just did a minimal test VM and... it indeed works...</p>
<p>I'll investigate why on my machine it's not working.<br>
</p>
<p>But, on the test VM, podman still fails because "iptables" is
not installed, only "nft" is intalled by default now. So there
is still a problem here.<br>
</p>
<div class="moz-cite-prefix">Le 21/04/21 à 05:02, Reinhard Tartler
a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:CAJ0cceY8-LZBwgVhOXC8yKuC+tyJj9aw46VA_4LKw0NSKOkoSw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div class="gmail_default" style="font-family:courier
new,monospace">Control: tag -1 moreinfo</div>
<div class="gmail_default" style="font-family:courier
new,monospace"><br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace">Hi Laurent,</div>
<div class="gmail_default" style="font-family:courier
new,monospace"><br>
</div>
<div class="gmail_default" style="font-family:courier
new,monospace">I've downloaded the Bullseye Alpha 3 debian
installer and installed using kvm to have a super clean
new system. Unfortunately, I was unable to reproduce the
issue that you described below. (I did find some issues
with rootless podman outside of a gnome-session, but
that's a different story).<br>
<br>
The symptoms sound a lot like described in this upstream
bug: <a
href="https://github.com/containers/podman/issues/5721"
moz-do-not-send="true">https://github.com/containers/podman/issues/5721</a><br>
<br>
Can you please compare your notes with that upstream bug?
Can you confirm that the 'overlay' kernel module is
loaded? (in my test, it was loaded automatically). If you
still think this is an issue in the Debian package, please
let me know. I may require your assistance with
reproducing this issue.<br>
<br>
-rt</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Apr 19, 2021 at
11:54 AM Laurent Bigonville <<a
href="mailto:bigon@debian.org" moz-do-not-send="true">bigon@debian.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Package: podman<br>
Version: 3.0.1+dfsg1-1<br>
Severity: serious<br>
<br>
Hello,<br>
<br>
After installing podman, I cannot run it as root out of
the box as it<br>
fails with:<br>
<br>
ERRO[0000] [graphdriver] prior storage driver overlay
failed: kernel does not support overlay fs: 'overlay' is
not supported over extfs at
"/var/lib/containers/storage/overlay": backing file system
is unsupported for this graph driver<br>
Error: kernel does not support overlay fs: 'overlay' is
not supported over extfs at
"/var/lib/containers/storage/overlay": backing file system
is unsupported for this graph driver<br>
<br>
Looking at fedora it seems that they have a
containers-common package<br>
that ships a default storage.conf file:<br>
<br>
<a
href="https://src.fedoraproject.org/rpms/containers-common/blob/rawhide/f/storage.conf"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://src.fedoraproject.org/rpms/containers-common/blob/rawhide/f/storage.conf</a><br>
<br>
I see that the debian package is shipping a file in<br>
/usr/share/containers/storage.conf (in the
containers-storage package),<br>
but that file is apparently not read (strace only shows
that the file in<br>
/etc/containers is read) and anyway unlike in fedora:<br>
<br>
1) the driver is not set to overlay<br>
2) the file is installed only if the containers-storage
package is<br>
installed, which is not done by default.<br>
3) that file is not read anyway, strace only shows that<br>
/etc/containers/storage.conf is read and not<br>
/usr/share/containers/storage.conf, so the file is
apparently useless<br>
<br>
Shouldn't debian do the same thing than fedora so
everything works OOTB?<br>
<br>
As a side note, I can see they are shipping also other
files as well,<br>
like the seccomp.json file, using strace, it seems that
podman tries to<br>
read them:<br>
<br>
[pid 14835] newfstatat(AT_FDCWD,
"/etc/containers/seccomp.json", 0xc0000ee6b8, 0) = -1
ENOENT (Aucun fichier ou dossier de ce type)<br>
[pid 14835] newfstatat(AT_FDCWD,
"/usr/share/containers/seccomp.json", 0xc0000ee788, 0) =
-1 ENOENT (Aucun fichier ou dossier de ce type)<br>
<br>
Shouldn't that file be shipped by default too?<br>
<br>
Kind regards,<br>
Laurent Bigonville<br>
<br>
-- System Information:<br>
Debian Release: 11.0<br>
APT prefers unstable-debug<br>
APT policy: (500, 'unstable-debug'), (500, 'unstable'),
(1, 'experimental-debug'), (1, 'experimental')<br>
Architecture: amd64 (x86_64)<br>
<br>
Kernel: Linux 5.10.0-6-amd64 (SMP w/8 CPU threads)<br>
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8
(charmap=UTF-8), LANGUAGE=fr_BE:fr<br>
Shell: /bin/sh linked to /usr/bin/dash<br>
Init: systemd (via /run/systemd/system)<br>
LSM: SELinux: enabled - Mode: Permissive - Policy name:
refpolicy<br>
<br>
Versions of packages podman depends on:<br>
ii conmon 2.0.25+ds1-1<br>
ii containernetworking-plugins 0.9.0-1+b3<br>
ii golang-github-containers-common 0.35.4+ds1-1<br>
ii init-system-helpers 1.60<br>
ii libc6 2.31-11<br>
ii libdevmapper1.02.1 2:1.02.175-2.1<br>
ii libgpgme11 1.14.0-1+b2<br>
ii libseccomp2 2.5.1-1<br>
ii runc 1.0.0~rc93+ds1-3<br>
<br>
Versions of packages podman recommends:<br>
ii buildah
1.20.0+ds1-1<br>
ii fuse-overlayfs
1.4.0-1<br>
ii golang-github-containernetworking-plugin-dnsname
1.1.1+ds1-4+b4<br>
ii slirp4netns
1.0.1-2<br>
ii tini
0.19.0-1<br>
ii uidmap
1:4.8.1-1<br>
<br>
Versions of packages podman suggests:<br>
ii containers-storage 1.24.8+dfsg1-1+b1<br>
ii docker-compose 1.25.0-1<br>
<br>
-- no debconf information<br>
<br>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr" class="gmail_signature">regards,<br>
Reinhard</div>
</div>
</blockquote>
</blockquote>
</body>
</html>